14.2. DTLS-SRTP
DTLS-SRTP [RFC5764] defines DTLS-SRTP "SRTP protection profiles".
These profiles also correspond to the use of an AEAD algorithm in
SRTP. In order to allow the use of the algorithms defined in this
document in DTLS-SRTP, IANA has registered the following SRTP
protection profiles:
SRTP_AEAD_AES_128_GCM = {0x00, 0x07}
SRTP_AEAD_AES_256_GCM = {0x00, 0x08}
Below, we list the SRTP transform parameters for each of these
protection profiles. Unless separate parameters for SRTP and SRTCP
are explicitly listed, these parameters apply to both SRTP and SRTCP.
SRTP_AEAD_AES_128_GCM
cipher: AES_128_GCM
cipher_key_length: 128 bits
cipher_salt_length: 96 bits
aead_auth_tag_length: 16 octets
auth_function: NULL
auth_key_length: N/A
auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_AEAD_AES_256_GCM
cipher: AES_256_GCM
cipher_key_length: 256 bits
cipher_salt_length: 96 bits
aead_auth_tag_length: 16 octets
auth_function: NULL
auth_key_length: N/A
auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
Note that these SRTP protection profiles do not specify an
auth_function, auth_key_length, or auth_tag_length, because all
of these profiles use AEAD algorithms and thus do not use a
separate auth_function, auth_key, or auth_tag. The term
"aead_auth_tag_length" is used to emphasize that this refers to
the authentication tag provided by the AEAD algorithm and that
this tag is not located in the authentication tag field provided by
SRTP/SRTCP.

Section 11 of this document restricts the choice of KDF for AEAD
algorithms. To enforce this restriction in MIKEY, we require that
the SRTP Pseudorandom Function (PRF) has value AES-CM whenever an
AEAD algorithm is used. Note that, according to Section 6.10.1 of
[RFC3830], the input key length of the KDF (i.e., the SRTP master key
length) is always equal to the session encryption key length. This
means, for example, that AEAD_AES_256_GCM will use AES_256_CM_PRF as
the KDF.
16. Some RTP Test Vectors
The examples in this section are all based upon the same RTP packet
8040f17b 8041f8d3 5501a0b2 47616c6c
69612065 7374206f 6d6e6973 20646976
69736120 696e2070 61727465 73207472
6573
consisting of a 12-octet header (8040f17b 8041f8d3 5501a0b2) and a
38-octet payload (47616c6c 69612065 7374206f 6d6e6973 20646976
69736120 696e2070 61727465 73207472 6573), which is just the ASCII
string "Gallia est omnis divisa in partes tres". The salt used
(51756964 2070726f 2071756f) comes from the ASCII string "Quid pro
quo". The 16-octet (128-bit) key is 00 01 02 ... 0f, and the
32-octet (256-bit) key is 00 01 02 ... 1f. At the time this document
was written, the RTP payload type (1000000 binary = 64 decimal) was
an unassigned value.
As shown in Section 8.1, the IV is formed by XORing two 12-octet
values. The first 12-octet value is formed by concatenating two
zero octets, the 4-octet SSRC (found in the ninth through 12th octets
of the packet), the 4-octet rollover counter (ROC) maintained at each
end of the link, and the 2-octet sequence number (SEQ) (found in the
third and fourth octets of the packet). The second 12-octet value is
the salt, a value that is held constant at least until the key is
changed.
| Pad | SSRC | ROC | SEQ |
00 00 55 01 a0 b2 00 00 00 00 f1 7b
salt 51 75 69 64 20 70 72 6f 20 71 75 6f
------------------------------------
IV 51 75 3c 65 80 c2 72 6f 20 71 84 14
All of the RTP examples use this IV.

When encrypting and tagging an RTCP packet (E-flag = 1), the SRTCP
packet consists of the following fields in the following order:
- The first 8 octets of the RTCP packet (part of the AAD).
- The cipher.
- The ESRTCP word (the final part of the AAD).
- Any Raw Data that might have been appended to the end of the
original RTCP packet.
Recall that AEAD treats the authentication tag as an integral part of
the cipher, and in fact the authentication tag is the last 8 or
16 octets of the cipher.
The reader is reminded that when the RTCP packet is to be tagged but
not encrypted (E-flag = 0), GCM will produce a cipher that consists
solely of the 8-octet or 16-octet authentication tag. The tagged
SRTCP consists of the following fields in the order listed below:
- All of the AAD, except for the ESRTCP word.
- The cipher (= the authentication tag).
- The ESRTCP word (the final part of the AAD).
- Any Raw Data that might have been appended to the end of the
original RTCP packet.